from the oh-wait,-that-takes-work dept

Once again, we find lawmakers who seemingly championed "strong privacy" rules like the GDPR suddenly freaking out when they realize such laws might apply to government bodies as well. Once again, we have Jason Smith at Indivigital to thank for highlighting the latest mess. This time it involves Irish lawmakers trying to figure out how different government agencies can share data between those agencies in order to provide better services. But, here's the problem: doing so without "consent" would seem to violate the basic concepts of the GDPR, so the Minister of State for Public Procurement, Open Government and eGovernment, Patrick O'Donovan, decided to try to take the easy way out and say that the government should be able to "infer" consent, if someone made use of the government service in the past:

“That principle is accepted. It is a once only principle where if a person is availing of a service, it could be inferred that there is consent already contained in that by virtue of the fact that they have presented themselves to look for that particular support or service from the State.”

Now, personally, I agree that this seems like a perfectly reasonable standard for inferring consent under most reasonable conditions. But the problem is that the GDPR generally does not view things that way. This is yet another example of where people who view privacy through a singular lens of "don't do anything at all with my data," often fail to realize how extreme that position is, and how it limits perfectly normal functions.

But, in this case, it comes across as just another example of where governments are saying, "do as I say, not as I do..."

from the this-could-be-a-mess dept

If you haven't dealt with it, the "EU-US data protection safe harbor" is somewhat confusing to deal with. The basics, however, are that under an agreement between the US and the EU, if US companies wish to transfer data out of Europe and to American servers, they have to abide by this "safe harbor" process, whereby they agree to take certain steps to keep that data safe and out of prying eyes. The process itself is something of a joke (we at Techdirt have actually gone through it to make sure we weren't violating the law -- though I imagine many small American internet companies don't even know it exists). You basically have to pay a company to declare you in compliance, which in reality often just means that the company reviews your terms of service/privacy policy to make sure it has specific language in it. There have been plenty of (potentially reasonable) complaints out of the EU that the safe harbor process doesn't actually do much to protect Europeans' data. That may be true, but the flipside of it isn't great either. Without the safe harbor framework, it's possible that it would be much more difficult for American internet companies to operate in Europe -- or for Europeans to use American internet companies. Some in Europe may think that's a good idea, until they suddenly can't use large parts of the internet.

The European Court of Justice still needs to come out with its final decision, but it usually (though not always!) agrees with the Advocate General's recommendation. Here, the Advocate General basically says that NSA surveillance has completely undermined the idea that the US can keep Europeans' data safe, and thus the safe harbor cannot stand.

According to the Advocate General, that interference with fundamental rights is contrary to the principle of proportionality, in particular because the surveillance carried out by the United States intelligence services is mass, indiscriminate surveillance. Indeed, the access which the United States intelligence authorities may have to the personal data covers, in a generalised manner, all persons and all means of electronic communication and all the data transferred (including the content of the communications), without any differentiation, limitation or exception according to the objective of general interest pursued. The Advocate General considers that, in those circumstances, a third country cannot in any event be regarded as ensuring an adequate level of protection, and this is all the more so since the safe harbour scheme as defined in the Commission decision does not contain any appropriate guarantees for preventing mass and generalised access to the transferred data. Indeed, no independent authority is able to monitor, in the United States, breaches of the principles for the protection of personal data committed by public actors, such as the United States security agencies, in respect of citizens of the EU.

In short, thanks to indiscriminate mass surveillance by the NSA, we may witness a fractured and fragmented internet. That's a big deal.

The EU Commission and the US have been negotiating for a while to change the EU-US Safe Harbor setup anyway, so it's possible that even if the court follows the Advocate General's suggestion, a new, more acceptable, safe harbor process will be put in place. But, in the short term, this could create quite a mess for the internet. Once again, we see how the NSA's actions, which it claims are to "protect" America could end up doing massive economic damage to the internet.

from the more-confrontational dept

We pointed out last year that one of the knock-on effects of Edward Snowden's revelations about massive NSA (and GCHQ) spying on Europeans was a call to suspend the economically-critical Safe Harbor program. Without Safe Harbor, it would be illegal under European law for companies like Google and Facebook to take EU citizens' personal data outside the EU, which would make it more difficult to run those services in their present form. Nothing much happened after that call by the European Parliament's Civil Liberties, Justice and Home Affairs (LIBE) committee -- not least because it does not have any direct power to formulate EU policy -- but the unhappiness with Safe Harbor has evidently not gone away.

Heise Online reports that two of Germany's data protection commissioners -- those for the cities of Berlin and Bremen -- have started proceedings against the transfer of data to the US under the Safe Harbor agreement (original in German.) This seems to represent a hardening of their position. The Heise article quotes another data protection commissioner, this time for the city of Hamburg, as saying that the mood among his colleagues was more confrontational now. Similarly, the commissioner for Berlin commented:

Whether the US authorities will be willing to make of those improvements, or whether they might just hope the European public's dependence on Google and Facebook will prevent drastic action being taken by the EU, remains unclear. Complicating matters still further is a separate argument about whether data flows should be included in the various trade negotiations involving the US and the European Union. The latest move by German data protection commissioners is unlikely to make resolving these issues any easier.

from the well,-thanks-to-fear-mongering dept

The Globe and Mail is running a somewhat sensationalistic piece about a Canadian university, Lakehead University, that decided to start using Google's email system to replace its own buggy and frequently crashed offering. The problem? Fears concerning US data privacy laws, such as the Patriot Act, mean that professors are told not to send confidential info, including grades, via email. This has upset a number of professors who are protesting the use of Google's products. There are a few different points that are worth sifting out of this.

First is the question of whether US laws like the Patriot Act, are potentially harming US businesses, as foreign organizations choose not to do business with them due to the implications of those laws. Chances are likely that this is happening quite frequently, even if those fears are totally overblown with respect to reality. Of course, it's not clear why a company like Google doesn't just set up local servers in certain countries, like Canada, to deal with local companies -- and then consider those out of the reach of US laws and authorities. It would seem like a smart business move.

The second question, though, is whether or not the government is really sniffing through everyone's email. The article seems to imply that, thanks to the Patriot Act, the feds have open access to Google's servers. While you can understand the paranoia, that's a bit overstated. The article says: "Using their new powers under the Patriot Act, U.S. intelligence officials can scan documents, pick out certain words and create profiles of the authors." That's not accurate. Or, rather, it's leaving out huge parts of how this is done. The Patriot Act didn't just hand all of Google's info over to the feds so they can create profiles on anyone. I'm not one to defend the Patriot Act, which I think is a terrible piece of legislation, but it does no one any good to make false statements about what it has allowed.

The third question is whether or not Google's own ad displays next to email is troubling to a university -- which is a bogeyman I thought had been killed back around 2004. Given the cost (free) to the university, you'd think they'd understand the tradeoff. The "payment" is the ads. If it's such a problem, then the university is free to go spend however many millions of dollars on building its own system. Or, perhaps Google can offer up an ad-free version for paranoid universities.